cybersecurity & data protection: thinking about risk & compliance
TRANSCRIPT
1. Cybersecurity & Data Protection Thinking About Risk & Compliance Shawn E.Tuma Scheef & Stone, LLP @shawnetuma www.solidcounsel.com 2. There are only two types of companies: those that have been hacked, and those that will be. Robert Mueller 3. 97% - CompaniesTested Breached in Prior 6 mos. 4. Odds: Security @100% / Hacker @ 1 5. Stewardship Public Relations Legal 6. www.solidcounsel.com first name or first initial last name SSN DLN or GovtID data breach first name or first initial last name Acct or Card # Access or Security Code data breach Info that IDs Individual Health-care, provided, or pay data breach Duty to notify when unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information Tx. Bus. Comm. Code 521.053 CIVIL PENALTY $100.00 per individual per day for notification delay, not to exceed $250,000 for single breach 521.151 7. www.solidcounsel.com Average Cost of a Data Breach 2013 Cost (pre-Target) $188.00 per record $5.4 million = total average cost paid by organizations 2014 Cost $201 per record $5.9 million = total average cost paid by organizations The primary reason for the increase is the loss of customers following the data breach due to the additional expenses required to preserve the organizations brand and reputation. Ponemon Institute 2014 Cost of Data Breach Study 8. 2014: 90% Preventable 9. www.solidcounsel.com The Real Problems Theft Lost Passwords Phishing Websites Basic IT Case Stories 10. www.solidcounsel.com Blocking & Tackling: Best Practices Approved & Documented Basic IT Security Basic Physical Security Policies & Procedures Focused on Data Security Company Workforce (Rajaee v. Design Tech Homes, Ltd.) Network Business Associates (Travelers Casualty v. Ignition Studio, Inc.) Breach Response Plan Implementation & Training Regular Reassessment & Update 11. www.solidcounsel.com Security Culture Assess, Audit, Gap Analysis Develop Strategic Plan Implement & Execute Plan Manage Response & Conflict Reassess & Update protecting businesses information protecting businesses from their information Risk Compliance Program 12. www.solidcounsel.com Login Credentials You dont drown from falling into the water 25k v. 40m (T) / 56m (HD) 13. www.solidcounsel.com 14. www.solidcounsel.com 15. www.solidcounsel.com Data Sources Company Data Workforce Data Customer / Client Data Other Parties Data 3rd Party Business Associates Data Outsiders Data 16. www.solidcounsel.com Threat Vectors Network Website Email BYOD USBGSM Internet Surfing Business Associates People 17. www.solidcounsel.com Malicious compete newco Sabotage disloyal insider Negligence email usb passwords Blended foot out the door misuse of network stealing data negligence with data violate use policies Hacking / Cracking Social Engineering Malware Stealing Planting Corrupting Outsider & Insider Threats 18. www.solidcounsel.com data devices misuse? 19. www.solidcounsel.com Misuse Case Examples Employees & Insiders disclosecompanysIPonInternet emailscompanysIPtoself deletescompanysemails&work projects/eraser backupcompanydatainviolationof policies generatefraudulentcommission payments stealcustomersdatatosellforfraud createbackdoorintonetworkbefore leaving Business Associates stealcompanyserver scrapedataforcompetingcompany keyloggers/surreptitiousforwardingor monitoring takecontrolofaccounts,forceout partners permitbreach/wrongfulaccessto3rd partysbusinessassociatesdata Businesses remotewipephonewithoutBYOD lostdevices,laptop,phone,usb emailunencryptedPHIwithoutrequest scrapecompetitorswebsiteswithout authorization databreachhackedwebsitecheckout cart databreachunpatchedlegacy programonserver extortionbloggerdemandsmoneyto stop extortionvulnerabilityoutsideofbug bountyprogram extortionthreatendeletewebsite unlesspayforservices 20. www.solidcounsel.com Protecting businesses from information Contracts 3rd party liability Healthcare (BA) Software license audit Permissible access & use in policies, BYOD EULA / TOS Marketing FTC Act 5 SPAM laws NLRB rules CDA 230 Website audits IP issues Acct ownership Privacy Privacy policies Privacy & data practices Destruction policies Monitoring workforce Business intelligence Industry Regulation PCI (Payment Card Industry) FFIEC (Federal Financial Institution Examination Council) FINRA (Financial Industry Regulatory Authority) SIFMA (Securities Industry and Financial Markets Association) 21. www.solidcounsel.com Newspaper Research Email Scheduling Lunch With Client Trial Exhibits Draft of Plaintiffs Original Petition Personally Identifiable Information (PII) Protected Health Information (PHI) Formula for Coke Let us think 22. www.solidcounsel.com 23 protecting misusing responding data devices 23. www.solidcounsel.com Adviser Consultant Relationships Coordinator Attorney 24. ShawnTuma Partner, Scheef & Stone, L.L.P. 214.472.2135 [email protected] @shawnetuma blog: shawnetuma.com web: solidcounsel.com This information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation. Shawn Tuma is a cyber lawyer business leaders trust to help solve problems with cutting- edge issues involving cybersecurity, data privacy, computer fraud, intellectual property, and social media law. He is a partner at Scheef & Stone, LLP, a full service commercial law firm inTexas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, throughout the world. Texas SuperLawyers 2015 Best Lawyers in Dallas 2014 & 2015, D Magazine (Digital Information Law) Chair, Collin County Bar Association Civil Litigation & Appellate Section College of the State Bar ofTexas Privacy and Data Security Committee, Litigation, Intellectual Property Law, and Business Sections of the State Bar ofTexas Information Security Committee of the Section on Science &Technology Committee of the American Bar Association Social Media Committee of the American Bar Association NorthTexas Crime Commission, Cybercrime Committee Infragard (FBI) International Association of Privacy Professionals Information Systems Security Association Contributor, Norse DarkMatters Security Blog Editor, Business Cyber Risk Law Blog